Re: EXT :Re: CD Burner Auditing

From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
To: Satish Chandra Kilaru <iam.kilaru@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:44:45 -0400	[thread overview]
Message-ID: <5356C6AD.6000000@ngc.com> (raw)
In-Reply-To: <CAAnai+VKhuRJrP6gddJqn+HW8FgXiuqcO4VQeKip1JN=79Ew=Q@mail.gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 2934 bytes --]

Does the audit subsystem have the ability to dynamically create new 
auditing rules using another event as the trigger?

Any examples on how to implement that?

Kevin

On 04/22/2014 03:39 PM, Satish Chandra Kilaru wrote:
> Even if there is a file system it may not be mounted on a known a folder.
> But monitoring access of sensitive content and execution  of burning 
> programs can provide clues.
> You can use audit dispatcher to react to audit events.... When u get a 
> MOUNT event you can see where sr0 is mounted and start a new watch for 
> that path. If you are not writing an ISO I think it has to be mounted.
>
> On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <kevin.boyce@ngc.com 
> <mailto:kevin.boyce@ngc.com>> wrote:
>
>     Hmm.  That is an interesting thought, but I would think there is
>     no filesystem that would be able to be mounted until the user has
>     written something to the disc first. In other words I don't
>     believe blank media gets mounted as part of the burning process
>     (at least not in my experience anyways--maybe I'd need to turn
>     some feature on for that?).
>
>     Kevin
>
>     On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
>>     One way is to watch for the main folder where /dev/sr0 is
>>     mounted. That way everything under that is watched.
>>     If an ISO is burned then we cannot know what is inside that ISO.
>>
>>     An alternative is to watch access to known sensitive files on the
>>     machine (whose cd burner you want to watch). and known burning
>>     commands. That way you know who is accessing sensitive content.
>>     If the same login session generates events for these files and
>>     programs they might be burning sensitive files.
>>
>>
>>     On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
>>     <kevin.boyce@ngc.com
>>     <javascript:_e(%7B%7D,'cvml','kevin.boyce@ngc.com');>> wrote:
>>
>>         Does anyone know if it is possible to audit what filenames
>>         users are burning to optical media?
>>
>>         I suppose I can put a watch on the /dev/sr0 device for write
>>         events, but this does not give me any idea what was written
>>         to the disc.  I suppose I could also set an execve watch all
>>         burner programs, eg. /usr/bin/k3b /usr/bin/brasero
>>         /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,  to
>>         know if someone opened the burning interface; but how could I
>>         tell what it was they were writing?
>>
>>         Any suggestions are welcome.
>>
>>         Kevin
>>
>>         --
>>         Linux-audit mailing list
>>         Linux-audit@redhat.com
>>         <javascript:_e(%7B%7D,'cvml','Linux-audit@redhat.com');>
>>         https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>>     -- 
>>     Please Donate to www.wikipedia.org <http://www.wikipedia.org>
>
>
>
> -- 
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>

[-- Attachment #1.2: Type: text/html, Size: 5631 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]